Securing FreeBSD Filesystem

Ini adalah script yang biasanya saya eksekusi di sistem FreeBSD saya setelah instalasi. Script ini bisa Anda copy dan paste di system anda yang menggunakan sistem operasi FreeBSD khususnya yang bertujuan untuk shell hosting. Kenapa anda perlu mengamankan filesystem di FreeBSD? Jawabannya adalah, jika anda lihat kejadian 1 tahun terakhir kebanyakan payload dari exploit yang ditemukan di FreeBSD adalah menggunakan filesystem bersuid root. Untuk itu, kita perlu meminimalkan filesystem yang bersuid root. Berikut scriptnya:

#!/bin/sh
# securing filesystem of FreeBSD
# basic information
# created by: Kalpin Erlangga Silaen
#

mv /var/tmp/* /tmp/
rm -rf /var/tmp
ln -s /tmp /var/tmp
echo “root” > /var/at/at.allow
chmod o= /etc/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch
chmod o= /etc/fstab
chmod o= /etc/ftpusers
chmod o= /etc/group
chmod o= /etc/hosts
chmod o= /etc/hosts.allow
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd
chmod o= /etc/inetd.conf
chmod o= /etc/login.access
chmod o= /etc/login.conf
chmod o= /etc/newsyslog.conf
chmod o= /etc/rc.conf
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf
chmod o= /etc/ttys
chmod o= /var/log
chmod o= /usr/bin/users
chmod o= /usr/bin/w
chmod o= /usr/bin/who
chmod o= /usr/bin/lastcomm
chmod o= /usr/sbin/jls
chmod o= /usr/bin/last
chmod o= /usr/sbin/lastlogin
chmod ugo= /usr/bin/rlogin
chmod ugo= /usr/bin/rsh
chflags noschg /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh
chmod u-s /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh
chflags noschg /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh
chmod u-s /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh

chmod 600 /etc/sysctl.conf
chmod 500 /sbin/sysctl
chmod 500 /sbin/ping
chmod 500 /sbin/ifconfig
chmod 600 /etc/security
chmod 600 /etc/rc.*
chmod 700 /etc/namedb
chmod 700 /etc/ssh
chmod 500 /usr/sbin/arp
chmod 500 /usr/sbin/traceroute
chmod 500 /usr/bin/finger
chmod 500 /usr/bin/last
chmod 500 /usr/bin/netstat
chmod 500 /usr/bin/systat
chmod 700 /stand
chmod 700 /root
chmod 711 /etc
chmod 711 /usr/home
chmod 711 /var
chmod 700 /etc/defaults
chmod 600 /etc/cvsupfile
chmod 600 /etc/daily.local
chmod 600 /etc/adduser.conf
chmod 600 /etc/adduser.message
chmod 600 /etc/inetd.conf
chmod 711 /usr/local/bin/*
chmod o-w /var/spool/uucppublic
chmod 500 /usr/bin/login
chmod 500 /usr/bin/wall
chmod 500 /usr/bin/vmstat
chmod 500 /usr/bin/ypchfn
chmod 500 /usr/bin/ypchpass
chmod 500 /usr/bin/ypchsh
chflags noschg /usr/bin/rsh
chflags noschg /usr/bin/rlogin
chmod 500 /usr/bin/rsh
chmod 500 /usr/bin/rlogin
chflags schg /usr/bin/rsh
chflags schg /usr/bin/rlogin
chmod 500 /usr/bin/nfsstat
chmod 500 /usr/bin/logger
chmod 500 /usr/bin/login
chmod 500 /usr/bin/key
chmod 500 /usr/bin/keyinfo
chmod 500 /usr/bin/keyinit
chmod 500 /usr/bin/keylogin
chmod 500 /usr/bin/keylogout
chmod 500 /usr/bin/ipcs
chmod 500 /usr/bin/fstat
chmod 500 /usr/bin/doscmd
chmod 500 /usr/bin/cu
chmod 500 /usr/bin/batch
chmod 500 /usr/bin/at
chmod 500 /usr/bin/atq
chmod 500 /usr/bin/atrm
chmod 640 /etc/crontab
chmod 000 /usr/bin/uustat
chmod 000 /usr/libexec/uucp/uucico
chmod 000 /usr/bin/lpq
chmod 000 /usr/bin/lpr
chmod 000 /usr/bin/lprm
chmod o-rx /usr/sbin/ifmcstat
chmod o-rx /usr/sbin/iostat
chmod o-rx /usr/sbin/pstat
chmod o-rx /usr/sbin/swapinfo
chmod o-rx /usr/sbin/trpt
chmod 000 /usr/sbin/lpc
chmod 000 /usr/sbin/pppd
chmod 000 /usr/sbin/ppp
chmod 000 /usr/sbin/traceroute6
chmod 000 /usr/libexec/uucp/uucico
chmod 000 /usr/libexec/uucp/uuxqt

# enhance sysctl.conf
echo ‘security.bsd.see_other_uids=0’ >> /etc/sysctl.conf
echo ‘kern.securelevel=-1’ >> /etc/sysctl.conf
echo ‘net.inet.tcp.blackhole=2’ >> /etc/sysctl.conf
echo ‘net.inet.udp.blackhole=1’ >> /etc/sysctl.conf
echo ‘net.inet.icmp.icmplim=50’ >> /etc/sysctl.conf
echo ‘net.inet.ip.rtexpire=2’ >> /etc/sysctl.conf
echo ‘net.inet.ip.rtminexpire=2’ >> /etc/sysctl.conf
echo ‘net.inet.tcp.always_keepalive=1’ >> /etc/sysctl.conf
echo ‘net.inet.ip.random_id=1’ >> /etc/sysctl.conf
echo ‘net.inet.tcp.icmp_may_rst=0’ >> /etc/sysctl.conf
echo ‘net.inet.icmp.maskrepl=0’ >> /etc/sysctl.conf
echo ‘net.inet.icmp.drop_redirect=0’ >> /etc/sysctl.conf
echo ‘net.inet.icmp.bmcastecho=0’ >> /etc/sysctl.conf
echo ‘net.inet.tcp.log_in_vain=1’ >> /etc/sysctl.conf
echo ‘net.inet.udp.log_in_vain=1’ >> /etc/sysctl.conf
echo ‘net.link.ether.inet.max_age=600’ >> /etc/sysctl.conf
echo ‘kern.ipc.somaxconn=32767’ >> /etc/sysctl.conf
echo ‘net.inet.ip.rtmaxcache=256’ >> /etc/sysctl.conf
echo ‘net.inet.ip.accept_sourceroute=0’ >> /etc/sysctl.conf
echo ‘net.inet.ip.sourceroute=0’ >> /etc/sysctl.conf
echo ‘kern.randompid=348’ >> /etc/sysctl.conf
echo ‘security.bsd.unprivileged_read_msgbuf=0’ >> /etc/sysctl.conf
echo ‘net.inet.ip.sourceroute=0’ >> /etc/sysctl.conf
echo ‘net.inet.ip.accept_sourceroute=0’ >> /etc/sysctl.conf
echo ‘net.inet.tcp.msl=7500’ >> /etc/sysctl.conf
echo ‘kern.maxfiles=65536’ >> /etc/sysctl.conf
echo ‘kern.maxfilesperproc=32768’ >> /etc/sysctl.conf
echo ‘net.inet.ip.fw.verbose=1’ >> /etc/sysctl.conf
echo ‘net.inet.ip.fw.verbose_limit=5’ >> /etc/sysctl.conf
echo ‘net.inet.tcp.syncookies=0’ >> /etc/sysctl.conf
echo ‘net.inet.tcp.drop_synfin=1’ >> /etc/sysctl.conf
echo ‘net.inet.ip.fw.one_pass=1’ >> /etc/sysctl.conf
echo ‘net.inet.ip.dummynet.hash_size=2048’ >> /etc/sysctl.conf
echo ‘net.link.ether.inet.log_arp_wrong_iface=0’ >> /etc/sysctl.conf
echo ‘vfs.ufs.dirhash_maxmem=12582912’ >> /etc/sysctl.conf

ada 3 filesystem yang saya biarkan bersuid root, yaitu passwd, su dan crontab. Hal ini diperlukan di server shell hosting yang memang dibutuhkan oleh user.

About Kalpin Erlangga Silaen

Suka membaca
This entry was posted in IT, Security, SysAdmin, Tips and Tricks. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *